CSP Spotlight: Hewlett Packard Enterprise

Hewlett Packard Inc. last year announced it will split in two, with Hewlett Packard Enterprise (HPE) taking on the enterprise IT business. That will include Helion, the company’s cloud computing products and services.

TBR Inc. analyst Cassandra Mooshian said the split will help HPE’s cloud business, making it “even better positioned to execute on its cloud initiatives in 2016 as HPE takes shape, permitting Helion solutions to be seen as a technology and platform-agnostic cloud provider.”

Well before HP CEO Meg Whitman announced the split last October, the company earned a unique distinction – it received Federal Risk and Authorization Management Program (FedRAMP) approval for its cloud service faster than any other cloud provider. The company gained its Authority to Operate (ATO) in 5 ½ months.

HP Helion At-A-Glance

Authorization Date: June 2013

ATO path: Joint Authorization Board (JAB)

FedRAMP411 caught up with Marilyn Hays, Security and Privacy Program Manager at HP Helion for Public Sector, for a Q & A about Helion and FedRAMP.

FedRAMP411: Tell us about the HP hybrid cloud solution for Public Sector, HP Helion.

Hays: HP’s Helion infrastructure, platform, and software services for the public sector are ‘purpose-built’ specifically for cloud service consumers who have to demonstrate compliance to government or industry overseers. We are in the IT services business. We not only demonstrate compliance with 325 FedRAMP moderate and 35 Department of Defense (DoD) FedRAMP-plus controls, we make it as easy as possible for government agencies or software vendors who have to ‘walk the walk,’ too, meaning they have to demonstrate they are compliant with regulations such as FedRAMP, DoD Cloud Security Requirements Guide (SRG), HIPAA, PCI Security Standards Council, or International Traffic in Arms Regulations (ITAR).

Our experience and expertise is in finding the best workload placement. We can broker workloads across a range of platforms from an on-premise environment to the cloud. Our two infrastructure offerings are basic Infrastructure-as-a-Service (IaaS) and the Helion Continuity cloud disaster recovery service. Our specialty, however, is the Platform-as-a-Service (PaaS) business, which leads the cloud part of a hybrid model implementation. We can provide a mix of fixed term and on-demand virtual and/or physical components that are HP-managed through the O/S and middleware; host customer components in our cloud data center or link them up to yours; or integrate and manage services from other cloud service providers (CSP) – or let you do it yourself with our managed cloud broker platform. Our FedRAMP-authorized offerings integrate smartly into a number of hybrid IT solutions for our Federal (as well as state and local government) customers who are looking to consolidate and manage a range of cloud and traditional instantiations. We can do all of these things and more, all the way up to operating your entire IT department.

FedRAMP411: Tell us about your road to FedRAMP compliance. How long did it take to become FedRAMP compliant, and why did you choose the JAB route?

Hays: Hewlett Packard Enterprise Services, U.S. Public Sector, has been providing secure and compliant outsourced IT services to the U.S. government for nearly 50 years, so we came into the process with depth and breadth of experience developing and operating FISMA programs.

Cloud system development work began in October 2011, and we employed a dedicated security team involved from the beginning to ensure that compliance was designed and built into our final product. When the system went into production in August 2012, we increased the staff working on the documentation until we kicked off in mid-December 2012. We received our p-ATO five-and-half-months later, the fastest approval on record. We went the Joint Authorization Board route because we started before there was significant demand for cloud services by the government and kicked off before our first Federal customer signed on. And because we believed that if we can satisfy the requirements of the three-member JAB, our p-ATO would be more acceptable to other agencies.

FedRAMP411: What guidance would you offer to others regarding the process?

Hays: FedRAMP requires a cloud service provider to act like a Federal agency when it comes to security, privacy, and IT governance. You have to think hard about all 325 controls to understand the techniques, technologies, and NIST guidance, regardless of how esoteric or inapplicable it may seem to a commercial provider. You have to replace or add on to your corporate SOP to establish controls in the spirit of the guidance, or to the letter of the requirements. Debating with the FedRAMP Program Management Office (PMO) on guidance or specific controls will only lengthen the time it takes to complete the process – it will not change the requirement. You have to document your procedures and compliance methodologies, operate your system as documented, and prove it in real-time, daily, weekly, monthly, semi-annually and annually.

It is a personnel-intensive effort that never stops, and never goes away. Finally, never forget that the controls you set are your controls, established to secure your customers’ systems and data. These should embody the best practices developed by IT thought leaders representing millions of person-hours of practical security operations. FedRAMP, your Third Party Assessment Organization (3PAO), and your security, privacy, and IT governance teams are all working with a single purpose: making sure your customer’s systems and their data are as secure as you can make them.

FedRAMP411: What do you know now that you wish you knew before the certification process?

Hays: I am going to answer from recent experience, rather than dredge up ancient problems. Before we embarked on our Rev 4 package update, I wish I knew how detailed the documentation guidance has become and the challenge that hitting the new mark presents.

FedRAMP411: Why do you think some CSPs move faster through the certification process than others?

Hays: I think three elements are key.

Number one is technical compliance, component system settings and patching. Scan results are the easiest variable to measure and thus are the primary means for determining if your systems are and stay secure. The more complex your system, the more heterogeneous your environment, and the more you add features, the harder it is to implement secure settings and keep the whole system patched. Your developers and engineers are going to object to the extra work. They are going to resist patching because they are afraid it will break their system. Work this out with them, not with FedRAMP.

Number two is simply do not contest FedRAMP. State your control, make a case for it, but if FedRAMP is not satisfied, you are going to have to do something else. Any control can be a showstopper if you make it one. Moving the process forward is more important than being right.

Number three is a willingness to commit resources to resolving issues as soon as they arise. There are 325 moderate controls. You and FedRAMP are not going to agree that your control and its text are complete, concise, clear, and consistent on all of them. To keep the authorization process trundling forward…you need to get people moving on improving processes and rewriting docs as soon as you get a comment back from your Information System Security Officer (ISSO) or a JAB technical representative. The scan results change every month, which change the Plan of Action and Milestones and the Security Assessment Report (SAR). If you take too long making process changes, getting them documented, and then validated, then your technical assessment results documentation needs changes and all of that has to be re-reviewed.

FedRAMP411: Which 3PAO did you work with?

Hays: Lunarline was our 3PAO for our p-ATO and the first annual continuous monitoring activity. We hired Coalfire for our second annual continuous monitoring activity, which included the Rev 4 update to our baseline. HP wants to have the best, most transparent and expert security, privacy, and IT governance practice in the cloud industry. We believe it is a differentiator in a market of otherwise-like services. We changed 3PAOs because (and I really mean this), we get better by hearing different points of view and being assessed in new ways. We’ve been very happy with both of our 3PAO teams, and we believe we have a stronger offering because we have leveraged more than one independent auditor in our FedRAMP efforts.

FedRAMP411: Based on your recent experience, how can the FedRAMP process be improved overall?

Hays: I’d like FedRAMP to look into a streamlined approach to authorizing and maintaining the authorizations for SaaS providers hosted and delivered by FedRAMP authorized IaaS and PaaS cloud service providers. The best industry information we have indicates it costs millions of dollars and takes over a year to achieve provisional authorization. This is a significant barrier to entry. This is particularly true for small to midsize innovative companies that could provide valuable services to the government, but cannot fund the compliance cost.

In addition, there are vast quantities of software products that could be delivered to the government as a service, but without a significant budget increase FedRAMP can’t continuously monitor a hundred systems, never mind the potential hundreds in the market. HP already manages many complex application systems to implement our IaaS/PaaS service. It seems that there should be some way for us to deliver the application of a SaaS CSP such that they could inherit nearly all of our existing controls. If FedRAMP only needed to assess a FedRAMP CSP delivered SaaS on only 10 percent to 20 percent of the controls and enhancements, rather than all 325, the barrier should be substantially lower.